84aac7290471d6aa883962c2e739b44adcea7f533cc0317e8d0d6f847def1f7a

General

Target

84aac7290471d6aa883962c2e739b44adcea7f533cc0317e8d0d6f847def1f7a.exe
Size

3.0MB
MD5

a8a106555b9e1f92569d623c66ee8c12
SHA1

a5080c26b5f5911c10d80654c84239a226fc75d1
SHA256

84aac7290471d6aa883962c2e739b44adcea7f533cc0317e8d0d6f847def1f7a
SHA512

9b9813b0b47e84523fc96cc427aa234d4533e77483ddf28dae35449570373370fdde4380877870aca634a9746b58743ea3c1d9ea31d7162d61d645ca58f60b26
SSDEEP

49152:3WjN903V68U3f1uXAlL/EUSiITRf+EGg7dyvUCUDaB5+Tc6k1HFm:3IrIVbUYiLs4vUCU5T0w

Score

7^/10

spyware stealer

Malware Config

Signatures

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

wmic.exeWMIC.exe

description	pid	process
Token: SeIncreaseQuotaPrivilege	4048	wmic.exe
Token: SeSecurityPrivilege	4048	wmic.exe
Token: SeTakeOwnershipPrivilege	4048	wmic.exe
Token: SeLoadDriverPrivilege	4048	wmic.exe
Token: SeSystemProfilePrivilege	4048	wmic.exe
Token: SeSystemtimePrivilege	4048	wmic.exe
Token: SeProfSingleProcessPrivilege	4048	wmic.exe
Token: SeIncBasePriorityPrivilege	4048	wmic.exe
Token: SeCreatePagefilePrivilege	4048	wmic.exe
Token: SeBackupPrivilege	4048	wmic.exe
Token: SeRestorePrivilege	4048	wmic.exe
Token: SeShutdownPrivilege	4048	wmic.exe
Token: SeDebugPrivilege	4048	wmic.exe
Token: SeSystemEnvironmentPrivilege	4048	wmic.exe
Token: SeRemoteShutdownPrivilege	4048	wmic.exe
Token: SeUndockPrivilege	4048	wmic.exe
Token: SeManageVolumePrivilege	4048	wmic.exe
Token: 33	4048	wmic.exe
Token: 34	4048	wmic.exe
Token: 35	4048	wmic.exe
Token: 36	4048	wmic.exe
Token: SeIncreaseQuotaPrivilege	4048	wmic.exe
Token: SeSecurityPrivilege	4048	wmic.exe
Token: SeTakeOwnershipPrivilege	4048	wmic.exe
Token: SeLoadDriverPrivilege	4048	wmic.exe
Token: SeSystemProfilePrivilege	4048	wmic.exe
Token: SeSystemtimePrivilege	4048	wmic.exe
Token: SeProfSingleProcessPrivilege	4048	wmic.exe
Token: SeIncBasePriorityPrivilege	4048	wmic.exe
Token: SeCreatePagefilePrivilege	4048	wmic.exe
Token: SeBackupPrivilege	4048	wmic.exe
Token: SeRestorePrivilege	4048	wmic.exe
Token: SeShutdownPrivilege	4048	wmic.exe
Token: SeDebugPrivilege	4048	wmic.exe
Token: SeSystemEnvironmentPrivilege	4048	wmic.exe
Token: SeRemoteShutdownPrivilege	4048	wmic.exe
Token: SeUndockPrivilege	4048	wmic.exe
Token: SeManageVolumePrivilege	4048	wmic.exe
Token: 33	4048	wmic.exe
Token: 34	4048	wmic.exe
Token: 35	4048	wmic.exe
Token: 36	4048	wmic.exe
Token: SeIncreaseQuotaPrivilege	4336	WMIC.exe
Token: SeSecurityPrivilege	4336	WMIC.exe
Token: SeTakeOwnershipPrivilege	4336	WMIC.exe
Token: SeLoadDriverPrivilege	4336	WMIC.exe
Token: SeSystemProfilePrivilege	4336	WMIC.exe
Token: SeSystemtimePrivilege	4336	WMIC.exe
Token: SeProfSingleProcessPrivilege	4336	WMIC.exe
Token: SeIncBasePriorityPrivilege	4336	WMIC.exe
Token: SeCreatePagefilePrivilege	4336	WMIC.exe
Token: SeBackupPrivilege	4336	WMIC.exe
Token: SeRestorePrivilege	4336	WMIC.exe
Token: SeShutdownPrivilege	4336	WMIC.exe
Token: SeDebugPrivilege	4336	WMIC.exe
Token: SeSystemEnvironmentPrivilege	4336	WMIC.exe
Token: SeRemoteShutdownPrivilege	4336	WMIC.exe
Token: SeUndockPrivilege	4336	WMIC.exe
Token: SeManageVolumePrivilege	4336	WMIC.exe
Token: 33	4336	WMIC.exe
Token: 34	4336	WMIC.exe
Token: 35	4336	WMIC.exe
Token: 36	4336	WMIC.exe
Token: SeIncreaseQuotaPrivilege	4336	WMIC.exe

Suspicious use of WriteProcessMemory 15 IoCs

Processes:

84aac7290471d6aa883962c2e739b44adcea7f533cc0317e8d0d6f847def1f7a.execmd.execmd.exe

description	pid	process	target process
PID 3232 wrote to memory of 4048	3232	84aac7290471d6aa883962c2e739b44adcea7f533cc0317e8d0d6f847def1f7a.exe	wmic.exe
PID 3232 wrote to memory of 4048	3232	84aac7290471d6aa883962c2e739b44adcea7f533cc0317e8d0d6f847def1f7a.exe	wmic.exe
PID 3232 wrote to memory of 4048	3232	84aac7290471d6aa883962c2e739b44adcea7f533cc0317e8d0d6f847def1f7a.exe	wmic.exe
PID 3232 wrote to memory of 4316	3232	84aac7290471d6aa883962c2e739b44adcea7f533cc0317e8d0d6f847def1f7a.exe	cmd.exe
PID 3232 wrote to memory of 4316	3232	84aac7290471d6aa883962c2e739b44adcea7f533cc0317e8d0d6f847def1f7a.exe	cmd.exe
PID 3232 wrote to memory of 4316	3232	84aac7290471d6aa883962c2e739b44adcea7f533cc0317e8d0d6f847def1f7a.exe	cmd.exe
PID 4316 wrote to memory of 4336	4316	cmd.exe	WMIC.exe
PID 4316 wrote to memory of 4336	4316	cmd.exe	WMIC.exe
PID 4316 wrote to memory of 4336	4316	cmd.exe	WMIC.exe
PID 3232 wrote to memory of 2204	3232	84aac7290471d6aa883962c2e739b44adcea7f533cc0317e8d0d6f847def1f7a.exe	cmd.exe
PID 3232 wrote to memory of 2204	3232	84aac7290471d6aa883962c2e739b44adcea7f533cc0317e8d0d6f847def1f7a.exe	cmd.exe
PID 3232 wrote to memory of 2204	3232	84aac7290471d6aa883962c2e739b44adcea7f533cc0317e8d0d6f847def1f7a.exe	cmd.exe
PID 2204 wrote to memory of 4176	2204	cmd.exe	WMIC.exe
PID 2204 wrote to memory of 4176	2204	cmd.exe	WMIC.exe
PID 2204 wrote to memory of 4176	2204	cmd.exe	WMIC.exe

C:\Users\Admin\AppData\Local\Temp\84aac7290471d6aa883962c2e739b44adcea7f533cc0317e8d0d6f847def1f7a.exe
"C:\Users\Admin\AppData\Local\Temp\84aac7290471d6aa883962c2e739b44adcea7f533cc0317e8d0d6f847def1f7a.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:3232

C:\Windows\SysWOW64\Wbem\wmic.exe
wmic os get Caption
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:4048

C:\Windows\SysWOW64\cmd.exe
cmd /C "wmic path win32_VideoController get name"
2⤵
- Suspicious use of WriteProcessMemory
PID:4316

C:\Windows\SysWOW64\Wbem\WMIC.exe
wmic path win32_VideoController get name
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:4336

C:\Windows\SysWOW64\cmd.exe
cmd /C "wmic cpu get name"
2⤵
- Suspicious use of WriteProcessMemory
PID:2204

C:\Windows\SysWOW64\Wbem\WMIC.exe
wmic cpu get name
3⤵
PID:4176

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

2

T1081

Discovery

Lateral Movement

Collection

Data from Local System

2

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\nJObCsNVlgTeMaPEZQleQYhYzRyWJjPj
Filesize
72KB

MD5
2b8e1b75b4d4fdf0c640838191ac3946

SHA1
dfac012ccaa015f6a9ec5bd1c55ffa7b8074fb7f

SHA256
17a69481ffd684f025b0fe6b0f22529bd8454c49915e580da43fcb08a0c56e4e

SHA512
3c4de03250813dc78b772cc7e3246ac2726c37fae00844bfceda683e05506b53ba7ea95a06e2929e8ec736ccd50a9138e9f6e3c80980ebde5ed7ac66f06cc038

Download Submit

Analysis

Sharing